Added a workaround for Docker's inability to modify /etc/hosts in the…

… container. See Docker bug 2267: moby/moby#2267
protosrc · Jul 12, 2014 · 04d9818 · 04d9818
1 parent 2f67ee2
commit 04d9818
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 2 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,6 +1,6 @@
 ## 0.9.12 (not yet released)
 
- * TODO
+ * Added a workaround for Docker's inability to modify /etc/hosts in the container ([Docker bug 2267](https://github.com/dotcloud/docker/issues/2267)). Please refer to the README for details.
 
 ## 0.9.11 (release date: 2014-06-24)
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
 
-Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness. You can use it as a base for your own Docker images.
+Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness, plus workarounds for [some Docker bugs](#workaroud_modifying_etc_hosts). You can use it as a base for your own Docker images.
 
 Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
 
@@ -52,6 +52,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Using your own key](#using_your_own_key)
      * [The `docker-bash` tool](#docker_bash)
    * [Disabling SSH](#disabling_ssh)
+   * [Working around Docker's inability to modify /etc/hosts](#workaroud_modifying_etc_hosts)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
 
@@ -76,9 +77,12 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
+| Workarounds for Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
 
 Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 
+It also works around Docker bug.
+
 <a name="docker_single_process"></a>
 ### Wait, I thought Docker is about running a single process in a container?
 
@@ -414,6 +418,27 @@ In case you do not want to enable SSH, here's how you can disable it:
 
     RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 
+<a name="workaroud_modifying_etc_hosts"></a>
+### Working around Docker's inability to modify /etc/hosts
+
+It is currently not possible to modify /etc/hosts inside a Docker container because of [Docker bug 2267](https://github.com/dotcloud/docker/issues/2267). Baseimage-docker includes a workaround for this. You have to be explicitly opt-in for the workaround.
+
+The workaround involves modifying a system library, libnss_files.so.2, so that it looks for the host file in /etc/workaround-docker-2267/hosts instead of /etc/hosts. Instead of modifying /etc/hosts, you modify /etc/workaround-docker-2267/hosts instead.
+
+Add this to your Dockerfile to opt-in for the workaround. This command modifies libnss_files.so.2 as described above.
+
+    RUN /usr/bin/workaround-docker-2267
+
+(You don't necessarily have to run this command from the Dockerfile. You can also run it from a shell inside the container.)
+
+To verify that it works, [open a bash shell in your container](#inspecting), modify /etc/workaround-docker-2267/hosts, and check whether it had any effect:
+
+    bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
+    bash# ping my-test-domain.com
+    ...should ping 127.0.0.1...
+
+**Note on apt-get upgrading:** if any Ubuntu updates overwrite libnss_files.so.2, then the workaround is removed. You have to re-enable it by running `/usr/bin/workaround-docker-2267`. To be safe, you should run this command every time after running `apt-get upgrade`.
+
 <a name="conclusion"></a>
 ## Conclusion
 

diff --git a/image/bin/my_init b/image/bin/my_init
@@ -56,6 +56,9 @@ def is_exe(path):
 	except OSError:
 		return False
 
+def create_hosts_file():
+	run_command_killable("/bin/cp", "/etc/hosts", "/etc/workaround-docker-2267/")
+
 def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
@@ -249,6 +252,7 @@ def install_insecure_key():
 	run_command_killable("/usr/sbin/enable_insecure_key")
 
 def main(args):
+	create_hosts_file()
 	import_envvars(False, False)
 	export_envvars()
 

diff --git a/image/bin/workaround-docker-2267 b/image/bin/workaround-docker-2267
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2
diff --git a/image/prepare.sh b/image/prepare.sh
@@ -30,6 +30,12 @@ ln -sf /bin/true /sbin/initctl
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 
+## Workaround https://github.com/dotcloud/docker/issues/2267,
+## not being able to modify /etc/hosts.
+mkdir -p /etc/workaround-docker-2267
+ln -s /etc/workaround-docker-2267 /cte
+cp /build/bin/workaround-docker-2267 /usr/bin/
+
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates